BlackBerry Push Notifications

(

Mail

)

Request the

BlackBerry Work

app from the Marketplace for Enterprise Software portal.

Log in to entitlements and confirm that you have the appropriate entitlements. For more information about entitlements, see "Configure

BlackBerry Work

connection settings" in the

BlackBerry Work

administration content.

Verify that the following ports are open for

BEMS

:

Inbound TCP ports

61616 or 61617 (SSL) to and from servers that host
BEMS
in the same cluster (bidirectional)
8443 from the
BlackBerry Proxy
or
Good Proxy
server (required for
Presence
and
Push Notifications
), and optionally for
Microsoft Graph
for
Push Notifications
to the reverse proxy server appliance. For more information about how
Microsoft Graph
communicates with
BEMS
, see Architecture: BEMS notification flow using the Microsoft Graph API.
If your environment uses
Microsoft Graph
, you can complete the following:
Restrict the firewall to only accept connections from
Microsoft
's list of IP addresses. For more information on the available
Microsoft Graph
Change notifications IP addresses, see https://docs.microsoft.com/en-us/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls?view=o365-worldwide.
Restrict the reverse proxy server to only proxy the /notificationClient URI (for example,
bems_server_name
.example.com:443/notificationClient" ;="bems.example.com:8443/notificationClient BEMS_Pool"
If the reverse proxy appliance is installed in a DMZ, make sure that port 8443 is open from the reverse proxy to each
BEMS
node.

Outbound TCP ports

80 to
Microsoft Exchange Server
(AutoDiscover)
389 and 636 (SSL) to LDAP and 3268 and 3269 (SSL) to Global catalog server
443 to
BlackBerry Dynamics NOC
(includes connections to APNS)
443 to
Firebase Cloud Messaging
(FCM)
443 to
Microsoft Exchange Server
(
Microsoft Exchange Web Services
, AutoDiscover), optionally 443 to
Microsoft Graph
17080 to the
BlackBerry Proxy
or
Good Proxy
server (17433 for SSL)
61616 or 61617 (SSL) to and from servers that host
BEMS
in the same cluster (bidirectional)
Google
Authentication Server URLs:
https://accounts.google.com/o/oauth2/auth
https://oauth2.googleapis.com/token
https://www.googleapis.com/oauth2/v1/certs

Verify that you have a mail server that supports

BEMS

.

Create a

Microsoft Active Directory

account for the

BEMS

service account. For example, BEMSAdmin.

For password considerations, see Creating a

Microsoft Active Directory

account for the

BEMS

service account.

Grant Application Impersonation Permissions to the BEMSAdmin account in

Microsoft Exchange

. For instructions, see Grant application impersonation permission to the service account.

Make sure that your

Microsoft Exchange

Autodiscover is set up correctly.

For more information on how to use third-party tools to test autodiscover, visit support.blackberry.com/community to read article 40351.

Make sure that

Microsoft Exchange Web Services

(EWS) is enabled on port 443, and that connections are permitted from the

BEMS

server.

For

BEMS

environments that use

Microsoft Graph

, create a public DNS entry for each

BEMS

cluster. The DNS entry must point to the reverse proxy appliance. The public DNS entry is used as the "External Notification URL" in the

BEMS

Dashboard when you use

Microsoft Graph

and Configure BEMS to communicate with a Microsoft Office 365 environment using Microsoft Graph API.

Make sure that your

Microsoft Exchange ActiveSync

environment is updated to support TLS 1.2. For more information, visit support.blackberry.com/community to read article 56869. If the TLS version is not updated, Push Notifications fail.

Verify the version of

Microsoft .NET Framework

.

For more information, see Preparing the computer that hosts BEMS for use with Skype for Business.

Verify that your environment is running one of the following:

A version of
BlackBerry UEM
that supports
BEMS
. For instructions on installing or upgrading
BlackBerry UEM
, see the
BlackBerry UEM
Installation and Upgrade content.
A
BlackBerry Dynamics
server that supports
BEMS
.
Important
: The
BlackBerry Dynamics
server must already be installed and operational before installing
BEMS
.

Verify that your server is running an operating system that supports

BEMS

. For information about the supported operating systems, see the BEMS Compatibility Matrix.

Verify that you have the required hardware to host

BEMS

. For more information about hardware, see one of the following:

In a
BlackBerry UEM
environment, see
BlackBerry UEM
Planning content.
In a
Good Control
environment, see the Good Secure Enterprise Suite Planning content.

If you configure your environment for disaster recovery, see the Disaster recovery content.

Make sure that the

BEMS

service account is a local administrator on the server.

Make sure that the

BEMS

service account has "Log on as a service" permission.

Verify that the servers that host and access the

BEMS

Dashboard have a supported browser installed.

Make sure that the server's date and time are set correctly.

Make sure that the server has been joined to the domain.

Make sure that the

Windows

Firewall is disabled.

Disable antivirus programs before you install or upgrade the

BEMS

software.

Verify that you have installed

JRE

8 on the servers where you will install

BEMS

and that you have an environment variable that points to its location. For instructions, see Configure the Java Runtime Environment. For information about supported

JRE

versions, see the BEMS Compatibility Matrix. 

Make sure you have connectivity to

SQL Server

. Typically this is through TCP port 1433.

Ensure connectivity to

Microsoft Exchange Web Services

(EWS). For more information on how to use third-party tools to test connectivity, visit support.blackberry.com/community to read article 40351.

Verify that your environment has a database server that supports

BEMS

.

To configure remote TCP/IP connections for

Microsoft SQL Server

Express, see BlackBerry Push Notifications database requirements.

Make sure that your

Microsoft SQL Server

environment is updated to support TLS 1.2 if database connection encryption is used. If the TLS version is not updated, you receive an error message and can't access the

BEMS

dashboard. For more information, visit support.blackberry.com/community to read articles 56869 and 56865.

Depending on the configuration of your environment (for example, all

BEMS

services on one server or on separate servers), you might need to create one or more

SQL Server

databases.

The following table is an example of a small deployment that has all of the

BEMS

services installed on one server. For an example of a large and small deployment that has all of the

BEMS

services installed on one server, see Example of a small BEMS deployment.

Services	Databases
All BEMS services on the same server	Create a database for the BlackBerry Push Notifications service and call it "BEMS_Core". If this is the first server in the BEMS cluster, create the database. If this is an additional server for the same BEMS cluster, then a new database is not required. Record the existing database name for the BEMS-Core and Mail cluster.

The following table is an example of a large deployment that has the

BEMS

services installed on separate servers. When you create a separate database, you are creating a new cluster for the push notifications. The push notifications are included in the Core database. If you create separate databases, make sure you select the appropriate database for the service. For an example of a large deployment that has the

BEMS

services installed on separate servers, see Example of a large BEMS deployment.

Services	Databases
BlackBerry Push Notifications service ( Mail service) on one server	Create a database and call it "BEMS_Core1".

Make sure that the

Microsoft SQL Server

account or the

BEMS

Windows

service account has db_owner privileges to the database. For more information, visit support.blackberry.com/community to read article 42661.